The Festival server which can be started using festival --server is vulnerable to unauthenticated remote command execution due to the inclusion of a scheme interpreter. It is possible to make use of standard scheme functions in order to execute further code, like so:

Whilst this is the most trivial way that the vulnerability can be exploited the inclusion of a scheme interpreter available without authentication allows for other vectors of attack. Scheme functions such as SayText and tts (which reads a file on the vulnerable system) pose particular interest, for example:

Whilst it is acknowledged that the inclusion of the scheme interpreter in this manner is entirely intentional, the default behaviour of the server could be exploited particularly where the user is unaware of the servers existance. In the case of both Debian unstable and Ubuntu Hardy Heron, this meant that the server was likely to be started by the init subsystem albeit as a non-privileged user.

Solutions:
In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server or filtering connections to the affected port using a host based firewall. The server itself can be secured by applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a default configuration which limits access to localhost and setting an optional password which prevents unauthenticated access.

Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd March 2007 (Ubuntu), both issued patched versions in their respective distributions which document the possible security issue and how it can be resolved and change the default behaviour of the package to prevent the server being started by the init subsystem. Details of the Debian changes can be found firstly in bug #466146 and then #466796. Nth Dimension would recommend that the patches for these bugs are applied. Nth Dimension would like to thank the Debian package maintainer Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie Strandboge of Canonical for the way they worked to resolve the issue.